Re: [mailop] [EXT] - Re: [EXT] - Dkim fails, success on same email?

[Salvatore Jr Walter P via mailop]

Well I have been speaking to 2 different vendors on this so hopefully they can 
get this straightened out. It sucks having no control and having to wait on 
vendors, who where supposed to have already done this.

From: mailop  On Behalf Of Mark Alley via mailop
Sent: Tuesday, June 20, 2023 1:05 PM
To: mailop@mailop.org
Subject: [EXT] - Re: [mailop] [EXT] - Dkim fails, success on same email?



You'll need to add the DKIM selector (and key) Sophos generated for you to your 
external DNS provider so that other receivers can resolve the key, which 
enables them to validate messages signed by your email filter.

- Mark Alley
On 6/20/2023 11:53 AM, Salvatore Jr Walter P via mailop wrote:
OK, we are still having issues with this.
We are using Sophos as an email gateway.
They generated a DKIM record and are telling us we need to send that to our 
domain registrar to add it to our DNS records?
Is this correct? I understood DKIM was server side only?

From: mailop <mailto:mailop-boun...@mailop.org> On 
Behalf Of Salvatore Jr Walter P via mailop
Sent: Friday, June 16, 2023 2:06 PM
To: 'mailop@mailop.org<mailto:mailop@mailop.org>' 
<mailto:mailop@mailop.org>
Subject: [EXT] - [mailop] Dkim fails, success on same email?

Getting reports back from several ISPs like the one below. It shows dkim 
failing for the IP, but successful for the domain? The domain 
“mail-dkim-us-west-2.prod.hydra.sophos.com” uses multiple IPs, On
sophospsmartbannerend
Getting reports back from several ISPs like the one below.
It shows dkim failing for the IP, but successful for the domain?
The domain “mail-dkim-us-west-2.prod.hydra.sophos.com” uses multiple IPs,
One of which is “198.154.181.72”. We do receive failures on all other IPs as 
well.
Is this an actual issue or something we can ignore?



198.154.181.72
1

none
fail
pass



warwickri.gov



mail-dkim-us-west-2.prod.hydra.sophos.com
v1
pass


warwickri.gov
pass







___

mailop mailing list

mailop@mailop.org<mailto:mailop@mailop.org>

https://list.mailop.org/listinfo/mailop<https://us-west-2.protection.sophos.com?d=mailop.org=aHR0cHM6Ly9saXN0Lm1haWxvcC5vcmcvbGlzdGluZm8vbWFpbG9w=NjQ2ZjZlOTgwMzEzYTkxYzgyMjg0MmJj=SXYxNDFjaWc1clRra1FiQkkwM2dUclc2TVExQ3ZvZ0xGZ0k4YUdKNVg4QT0==0bc8aa0bb36546cca1603693167bbb83=AVNPUEhUT0NFTkNSWVBUSVZrAcNbnKLetzGETeDPfrVo10-SFGGmngOsbOImP5k06Q>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Dkim fails, success on same email?

[Salvatore Jr Walter P via mailop]

OK, we are still having issues with this.
We are using Sophos as an email gateway.
They generated a DKIM record and are telling us we need to send that to our 
domain registrar to add it to our DNS records?
Is this correct? I understood DKIM was server side only?

From: mailop  On Behalf Of Salvatore Jr Walter P via 
mailop
Sent: Friday, June 16, 2023 2:06 PM
To: 'mailop@mailop.org' 
Subject: [EXT] - [mailop] Dkim fails, success on same email?


Getting reports back from several ISPs like the one below.
It shows dkim failing for the IP, but successful for the domain?
The domain "mail-dkim-us-west-2.prod.hydra.sophos.com" uses multiple IPs,
One of which is "198.154.181.72". We do receive failures on all other IPs as 
well.
Is this an actual issue or something we can ignore?



198.154.181.72
1

none
fail
pass



warwickri.gov



mail-dkim-us-west-2.prod.hydra.sophos.com
v1
pass


warwickri.gov
pass




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: Dkim fails, success on same email?

[Salvatore Jr Walter P via mailop]

Thanks, I assumed this was an issue, but our vendor who controls our DKIM 
(Sophos) addded the record and we have no control over it. I am going to have 
our network team contact them and get this fixed.

From: mailop  On Behalf Of Alan Hodgson via mailop
Sent: Friday, June 16, 2023 4:57 PM
To: mailop@mailop.org
Subject: [EXT] - Re: [mailop] Dkim fails, success on same email?


On Fri, 2023-06-16 at 18:05 +, Salvatore Jr Walter P via mailop wrote:
Getting reports back from several ISPs like the one below.
It shows dkim failing for the IP, but successful for the domain?
The domain “mail-dkim-us-west-2.prod.hydra.sophos.com” uses multiple IPs,
One of which is “198.154.181.72”. We do receive failures on all other IPs as 
well.
Is this an actual issue or something we can ignore?



198.154.181.72
1

none
fail
pass



warwickri.gov



mail-dkim-us-west-2.prod.hydra.sophos.com
v1
pass


warwickri.gov
pass





It appears you're DKIM-signing it, but not with an identifier aligned with your 
From: domain. So DKIM passes but not in a way that satisfies DMARC.

It passed DMARC only because it passes SPF.

You should add a DKIM signature from a domain aligned with your From: domain.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Dkim fails, success on same email?

[Salvatore Jr Walter P via mailop]

Getting reports back from several ISPs like the one below.
It shows dkim failing for the IP, but successful for the domain?
The domain "mail-dkim-us-west-2.prod.hydra.sophos.com" uses multiple IPs,
One of which is "198.154.181.72". We do receive failures on all other IPs as 
well.
Is this an actual issue or something we can ignore?



198.154.181.72
1

none
fail
pass



warwickri.gov



mail-dkim-us-west-2.prod.hydra.sophos.com
v1
pass


warwickri.gov
pass




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Dkim fails, success on same email?

[Salvatore Jr Walter P via mailop]

Getting reports back from several ISPs like the one below.
It shows dkim failing for the IP, but successful for the domain?
The domain "mail-dkim-us-west-2.prod.hydra.sophos.com" uses multiple IPs,
One of which is "198.154.181.72". We do receive failures on all other IPs as 
well.
Is this an actual issue or something we can ignore?



198.154.181.72
1

none
fail
pass



warwickri.gov



mail-dkim-us-west-2.prod.hydra.sophos.com
v1
pass


warwickri.gov
pass




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: Salesforce abuse bounces

[Salvatore Jr Walter P via mailop]

I guess it depends on which domain the OP was trying to report, 
asalesforce.com does exist and it seems a bit dodgy so 
it could be a typo, or could be the actual spammer.

From: mailop  On Behalf Of Frost The Fox via mailop
Sent: Monday, April 3, 2023 2:50 PM
To: Jay Hennigan 
Cc: mailop 
Subject: [EXT] - Re: [mailop] Salesforce abuse bounces

Typo, or am I missing something? You've got 
asalesforce.com instead of 
salesforce.com there, and indeed 
smtp.secureserver.net is the MX for that domain. 
Actual SF has Proofpoint MXs.

On Mon, Apr 3, 2023 at 2:45 PM Jay Hennigan via mailop 
mailto:mailop@mailop.org>> wrote:
Trying to report spam from their network, got this:

Reporting-MTA: dns; speedy.sb.west.net
X-Postfix-Queue-ID: 4PqzpV4cYJz6N6gs
X-Postfix-Sender: rfc822; [me]
Arrival-Date: Mon,  3 Apr 2023 11:25:22 -0700 (PDT)

Final-Recipient: rfc822; ab...@asalesforce.com
Original-Recipient: 
rfc822;ab...@asalesforce.com
Action: failed
Status: 5.1.1
Remote-MTA: dns; smtp.secureserver.net
Diagnostic-Code: smtp; 550 5.1.1 
mailto:ab...@asalesforce.com>> Recipient not
found.
 



--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: [EXT] - Dear sympatico.ca

[Salvatore Jr Walter P via mailop]

What? I never said they were, I said do what we did with our issue. Please 
reread my response again.




From: f...@dnsbed.com 
Sent: Saturday, March 25, 2023 6:02 AM
To: Salvatore Jr Walter P
Cc: mailop@mailop.org
Subject: [EXT] - Re: [mailop] [EXT] - Dear sympatico.ca

On 2023-03-25 13:54, Salvatore Jr Walter P via mailop wrote:
> You could always do what we do with AT We have been blocked for
> months with no response and no reason given from AT We are a
> government agency, so we simply told our vendors and other entity's we
> deal with that if they use AT or any ISP associated with them we will
> not be able to communicate with them or use their services. After no
> response from AT, we took the response it is no longer our issue and
> let their customers complain that their incoming email is being blocked
> and effecting their bottom line.


from what I know Bell Canada is not the same as ATT global.
they use different systems.
if I am wrong please adjust me.

Thanks
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Dear sympatico.ca

[Salvatore Jr Walter P via mailop]

You could always do what we do with AT We have been blocked for months with 
no response and no reason given from AT We are a government agency, so we 
simply told our vendors and other entity's we deal with that if they use AT 
or any ISP associated with them we will not be able to communicate with them or 
use their services. After no response from AT, we took the response it is no 
longer our issue and let their customers complain that their incoming email is 
being blocked and effecting their bottom line.


From: mailop  on behalf of Lyndon Nerenberg 
(VE7TFX/VE6BBM) via mailop 
Sent: Friday, March 24, 2023 7:37:37 PM
To: mailop@mailop.org
Subject: [EXT] - [mailop] Dear sympatico.ca

If you are going to block my MTA from sending email to your customers,
do us all the favour of preventing your users from sending email
to my MTAs in the first place.

When they send me mail, but you refuse to let me reply, it makes
me look like I'm ignoring them, or blowing them off.  Imputing that
I'm insulting them in that manner is just rude.

Yes, I realize you can implement whatever assinine filtering you
want.  But when you do, please make it reciprocal, so I don't have
to take the heat for your absurd policy decisions.

--lyndon

P.S.  I would have sent this request directly, but 554.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: [EXT] - Re: [EXT] - Re: New member, trying to bring our mail server inline.

[Salvatore Jr Walter P via mailop]

That looks like it could be very helpful. Thanks!


___
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov




From: Suresh Ramasubramanian 
Sent: Sunday, March 5, 2023 3:53 AM
To: Salvatore Jr Walter P; 'Josh Daynard'
Cc: mailop@mailop.org; Alessandro Vesely
Subject: [EXT] - Re: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: 
New member, trying to bring our mail server inline.

As far as I see you can configure dkim if this is the Sophos email appliance

https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/GlobalSettings/EmailDomains/DkimKeys/

--srs

From: Salvatore Jr Walter P 
Sent: Sunday, March 5, 2023 6:51:59 AM
To: Suresh Ramasubramanian ; 'Josh Daynard' 

Cc: mailop@mailop.org ; Alessandro Vesely 
Subject: Re: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: New 
member, trying to bring our mail server inline.

Unfortunetly that is not possible with the sophos box as it's the gateway, so 
it's the first place incoming hits and the last place outgoing hits and there 
is no way to change that. We are looking at replacing it as it is really not a 
good system so this may be something I can use to push for another vendor.


___
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov




From: Suresh Ramasubramanian 
Sent: Saturday, March 4, 2023 7:51 PM
To: Salvatore Jr Walter P; 'Josh Daynard'
Cc: mailop@mailop.org; Alessandro Vesely
Subject: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: New member, 
trying to bring our mail server inline.

As a rule you need to finish your antivirus / antispam etc BEFORE you sign the 
message, especially where this scanning is done by a separate appliance with 
its own mailserver that inserts headers.

--srs

From: mailop  on behalf of Salvatore Jr Walter P via 
mailop 
Sent: Sunday, March 5, 2023 5:21 AM
To: 'Josh Daynard' 
Cc: mailop@mailop.org ; Alessandro Vesely 
Subject: Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: New member, trying to 
bring our mail server inline.

Something just accored to me, we have a sophos email appliance. All incoming 
and outgoing email go through that box and it scans everything. Do you think 
that may be modifying the headers before it leaves our network?

From: Josh Daynard 
Sent: Saturday, March 4, 2023 6:37 PM
To: Salvatore Jr Walter P 
Cc: Alessandro Vesely ; mailop@mailop.org
Subject: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: New member, trying to 
bring our mail server inline.


On Mar 4, 2023, at 3:11 PM, Salvatore Jr Walter P via mailop 
mailto:mailop@mailop.org>> wrote:
Sorry, but I have no idea what any of that means?

what is a z tag?

I was curious as well and managed to find a decent resource here:

[What-are-DKIM-Tags_.jpg]

What are DKIM Tags?<https://easydmarc.com/blog/what-are-dkim-tags/>
easydmarc.com<https://easydmarc.com/blog/what-are-dkim-tags/>



Bottom line is that the verification error you’re seeing (“signature 
verification failed”) is an indication that one of the header fields being used 
to generate the DKIM signature (listed in the h= tag potion of the signature) 
is being altered *after* the signature has been generated but before the 
message is relayed to the destination domain.

Looks like z tags can be used in the DKIM signature for debugging purposes … 
you can copy the original header values that were present during signing into 
this tag and then when signature verification fails, you can compare those 
values to what was actually received to see what was altered (assuming whatever 
altered the header(s) won’t touch the z= tag in your DKIM sig!).

We had this problem early on due to some header fix-ups happening by the MTA 
post DKIM signing.  You need to be sure that DKIM Signing is basically the last 
thing that happens before a message is relayed or at least that none of the 
header fields used to generate the sig are altered!

You would get a different error if the public key couldn’t be retrieved or if 
the body of the message was altered (body hash mismatch).

- Josh


___
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov<mailto:walter.p.salvat...@warwickri.gov>




From: Alessandro Vesely mailto:ves...@tana.it>>
Sent: Saturday, March 4, 2023 7:12 AM
To: Salvatore Jr Walter P; 'mailop@mailop.org'
Subject: [EXT] - Re: [mailop] [EXT] - Re: New member, trying to bring our mail 
server inline.

On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop wrote:

Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: [EXT] - Re: New member, trying to bring our mail server inline.

[Salvatore Jr Walter P via mailop]

Unfortunetly that is not possible with the sophos box as it's the gateway, so 
it's the first place incoming hits and the last place outgoing hits and there 
is no way to change that. We are looking at replacing it as it is really not a 
good system so this may be something I can use to push for another vendor.


___
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov




From: Suresh Ramasubramanian 
Sent: Saturday, March 4, 2023 7:51 PM
To: Salvatore Jr Walter P; 'Josh Daynard'
Cc: mailop@mailop.org; Alessandro Vesely
Subject: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: New member, 
trying to bring our mail server inline.

As a rule you need to finish your antivirus / antispam etc BEFORE you sign the 
message, especially where this scanning is done by a separate appliance with 
its own mailserver that inserts headers.

--srs

From: mailop  on behalf of Salvatore Jr Walter P via 
mailop 
Sent: Sunday, March 5, 2023 5:21 AM
To: 'Josh Daynard' 
Cc: mailop@mailop.org ; Alessandro Vesely 
Subject: Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: New member, trying to 
bring our mail server inline.

Something just accored to me, we have a sophos email appliance. All incoming 
and outgoing email go through that box and it scans everything. Do you think 
that may be modifying the headers before it leaves our network?

From: Josh Daynard 
Sent: Saturday, March 4, 2023 6:37 PM
To: Salvatore Jr Walter P 
Cc: Alessandro Vesely ; mailop@mailop.org
Subject: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: New member, trying to 
bring our mail server inline.


On Mar 4, 2023, at 3:11 PM, Salvatore Jr Walter P via mailop 
mailto:mailop@mailop.org>> wrote:
Sorry, but I have no idea what any of that means?

what is a z tag?

I was curious as well and managed to find a decent resource here:

[What-are-DKIM-Tags_.jpg]

What are DKIM Tags?<https://easydmarc.com/blog/what-are-dkim-tags/>
easydmarc.com<https://easydmarc.com/blog/what-are-dkim-tags/>



Bottom line is that the verification error you’re seeing (“signature 
verification failed”) is an indication that one of the header fields being used 
to generate the DKIM signature (listed in the h= tag potion of the signature) 
is being altered *after* the signature has been generated but before the 
message is relayed to the destination domain.

Looks like z tags can be used in the DKIM signature for debugging purposes … 
you can copy the original header values that were present during signing into 
this tag and then when signature verification fails, you can compare those 
values to what was actually received to see what was altered (assuming whatever 
altered the header(s) won’t touch the z= tag in your DKIM sig!).

We had this problem early on due to some header fix-ups happening by the MTA 
post DKIM signing.  You need to be sure that DKIM Signing is basically the last 
thing that happens before a message is relayed or at least that none of the 
header fields used to generate the sig are altered!

You would get a different error if the public key couldn’t be retrieved or if 
the body of the message was altered (body hash mismatch).

- Josh


___
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov<mailto:walter.p.salvat...@warwickri.gov>




From: Alessandro Vesely mailto:ves...@tana.it>>
Sent: Saturday, March 4, 2023 7:12 AM
To: Salvatore Jr Walter P; 'mailop@mailop.org'
Subject: [EXT] - Re: [mailop] [EXT] - Re: New member, trying to bring our mail 
server inline.

On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop wrote:

Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM.

“I see you've included a DKIM signature. I've retrieved the public key from
1._domainkey.warwickri.gov

The signature failed validation. The Auth Result is fail.”


A failing signature should mean a header change.  That's also what I get from
your posts on mailop, signature verification failed (otherwise would 've been
body hash mismatch).  Can you turn on z= tags?  Otherwise try carefully
comparing the signed fields, from: subject: to: date:, message-id: and the
signature itself.

Check that no other filters alter those fields after signing.  Can you sign
messages off-line?  Do Bcc: copies verify? (Use any off-line dkim verifier.)


Good luck
Ale
--






___
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: [EXT] - Re: [EXT] - Re: New member, trying to bring our mail server inline.

[Salvatore Jr Walter P via mailop]

Something just accored to me, we have a sophos email appliance. All incoming 
and outgoing email go through that box and it scans everything. Do you think 
that may be modifying the headers before it leaves our network?

From: Josh Daynard 
Sent: Saturday, March 4, 2023 6:37 PM
To: Salvatore Jr Walter P 
Cc: Alessandro Vesely ; mailop@mailop.org
Subject: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: New member, trying to 
bring our mail server inline.


On Mar 4, 2023, at 3:11 PM, Salvatore Jr Walter P via mailop 
mailto:mailop@mailop.org>> wrote:
Sorry, but I have no idea what any of that means?

what is a z tag?

I was curious as well and managed to find a decent resource here:

[What-are-DKIM-Tags_.jpg]

What are DKIM Tags?<https://easydmarc.com/blog/what-are-dkim-tags/>
easydmarc.com<https://easydmarc.com/blog/what-are-dkim-tags/>



Bottom line is that the verification error you’re seeing (“signature 
verification failed”) is an indication that one of the header fields being used 
to generate the DKIM signature (listed in the h= tag potion of the signature) 
is being altered *after* the signature has been generated but before the 
message is relayed to the destination domain.

Looks like z tags can be used in the DKIM signature for debugging purposes … 
you can copy the original header values that were present during signing into 
this tag and then when signature verification fails, you can compare those 
values to what was actually received to see what was altered (assuming whatever 
altered the header(s) won’t touch the z= tag in your DKIM sig!).

We had this problem early on due to some header fix-ups happening by the MTA 
post DKIM signing.  You need to be sure that DKIM Signing is basically the last 
thing that happens before a message is relayed or at least that none of the 
header fields used to generate the sig are altered!

You would get a different error if the public key couldn’t be retrieved or if 
the body of the message was altered (body hash mismatch).

- Josh


___
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov<mailto:walter.p.salvat...@warwickri.gov>




From: Alessandro Vesely mailto:ves...@tana.it>>
Sent: Saturday, March 4, 2023 7:12 AM
To: Salvatore Jr Walter P; 'mailop@mailop.org'
Subject: [EXT] - Re: [mailop] [EXT] - Re: New member, trying to bring our mail 
server inline.

On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop wrote:

Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM.

“I see you've included a DKIM signature. I've retrieved the public key from
1._domainkey.warwickri.gov

The signature failed validation. The Auth Result is fail.”


A failing signature should mean a header change.  That's also what I get from
your posts on mailop, signature verification failed (otherwise would 've been
body hash mismatch).  Can you turn on z= tags?  Otherwise try carefully
comparing the signed fields, from: subject: to: date:, message-id: and the
signature itself.

Check that no other filters alter those fields after signing.  Can you sign
messages off-line?  Do Bcc: copies verify? (Use any off-line dkim verifier.)


Good luck
Ale
--






___
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: [EXT] - Re: New member, trying to bring our mail server inline.

[Salvatore Jr Walter P via mailop]

Sorry, but I have no idea what any of that means?

what is a z tag?

___
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov




From: Alessandro Vesely 
Sent: Saturday, March 4, 2023 7:12 AM
To: Salvatore Jr Walter P; 'mailop@mailop.org'
Subject: [EXT] - Re: [mailop] [EXT] - Re: New member, trying to bring our mail 
server inline.

On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop wrote:
> Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM.
>
> “I see you've included a DKIM signature. I've retrieved the public key from
> 1._domainkey.warwickri.gov
>
> The signature failed validation. The Auth Result is fail.”


A failing signature should mean a header change.  That's also what I get from
your posts on mailop, signature verification failed (otherwise would 've been
body hash mismatch).  Can you turn on z= tags?  Otherwise try carefully
comparing the signed fields, from: subject: to: date:, message-id: and the
signature itself.

Check that no other filters alter those fields after signing.  Can you sign
messages off-line?  Do Bcc: copies verify? (Use any off-line dkim verifier.)


Good luck
Ale
--






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXT] - Re: New member, trying to bring our mail server inline.

[Salvatore Jr Walter P via mailop]

Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM.

“I see you've included a DKIM signature. I've retrieved the public key from 
1._domainkey.warwickri.gov
The signature failed validation. The Auth Result is fail.”

Now I am really confused. I checked what the link you shared showed and what we 
sent to our ISP and everything seems to match up. Could it be a propagation 
issue? Our DNS host provider added the settings 2 days ago, so I assumed it 
should be working by now?


From: mailop  On Behalf Of Mark Alley via mailop
Sent: Friday, March 3, 2023 11:59 AM
To: mailop@mailop.org
Subject: [EXT] - Re: [mailop] New member, trying to bring our mail server 
inline.


The selector seems to just be "1", of which the published record appears to be 
valid in DNS.

https://tools.wordtothewise.com/dkim/check/warwickri.gov/1

DNS propagation<https://dnschecker.org/#TXT/1._domainkey.warwickri.gov> shows 
the DKIM record is resolvable across the internet, so resolution isn't the 
problem, and it appears to be syntactically valid.

@Salvatore - if you send a test message to the address provided to you on 
https://learndmarc.com, it will show you authentication results of direct 
messages from your mail server which you can use to troubleshoot authentication 
further.

- Mark Alley


On 3/3/2023 10:27 AM, Laura Atkins via mailop wrote:
Based on the headers of the message you sent here (to mailop), you have yet to 
actually publish a public key in DNS.

https://tools.wordtothewise.com/dkim/check/warwickri/1677852725

laura


On 3 Mar 2023, at 14:12, Salvatore Jr Walter P via mailop 
<mailto:mailop@mailop.org> wrote:

We are in the final stages of migrating our exchange server from 2013 to 2019.
I found out we had no SPF, DMARC, DKIM etc setup on our domains.

Trying to get us setup properly and have SPF and DMARC working, DKIM is another 
story.
Setup on the server, sent the key to our ISP for the DNS to be added.
Headers show the signature is being included.

DKIM-Signature: v=1; a=rsa-sha256; d=redacted.gov<http://redacted.gov/>; s=1; 
c=relaxed/relaxed;
t=1677851456; h=from:subject:to:date:message-id;(rest of key)


Also from the headers:


Authentication-Results: inbound.redacted.net<http://inbound.redacted.net/>;

 spf=pass smtp.mailfrom=redacted@ redacted.gov<http://redacted.gov/>;

 dkim=fail header.d= redacted.gov<http://redacted.gov/>;

 dmarc=pass (policy=none; pct=100; status=pass);

 arc=none

Any suggestion where to go from here? We are having all emails blocked by AT, 
no idea why so trying to get all our ducks in a row and make sure we are doing 
everything the “right” way.
___
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop

--
The Delivery Experts

Laura Atkins
Word to the Wise
la...@wordtothewise.com<mailto:la...@wordtothewise.com>

Email Delivery Blog: http://wordtothewise.com/blog








___

mailop mailing list

mailop@mailop.org<mailto:mailop@mailop.org>

https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] New member, trying to bring our mail server inline.

[Salvatore Jr Walter P via mailop]

We are in the final stages of migrating our exchange server from 2013 to 2019.
I found out we had no SPF, DMARC, DKIM etc setup on our domains.

Trying to get us setup properly and have SPF and DMARC working, DKIM is another 
story.
Setup on the server, sent the key to our ISP for the DNS to be added.
Headers show the signature is being included.

DKIM-Signature: v=1; a=rsa-sha256; d=redacted.gov; s=1; c=relaxed/relaxed;
t=1677851456; h=from:subject:to:date:message-id;(rest of key)


Also from the headers:


Authentication-Results: inbound.redacted.net;

 spf=pass smtp.mailfrom=redacted@ redacted.gov;

 dkim=fail header.d= redacted.gov;

 dmarc=pass (policy=none; pct=100; status=pass);

 arc=none

Any suggestion where to go from here? We are having all emails blocked by AT, 
no idea why so trying to get all our ducks in a row and make sure we are doing 
everything the "right" way.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop